···
+
description = "Enable the spiped service module.";
+
type = types.attrsOf (types.submodule (
+
Take unencrypted connections from the
+
<literal>source</literal> socket and send encrypted
+
connections to the <literal>target</literal> socket.
+
Take encrypted connections from the
+
<literal>source</literal> socket and send unencrypted
+
connections to the <literal>target</literal> socket.
+
Address on which spiped should listen for incoming
+
connections. Must be in one of the following formats:
+
<literal>/absolute/path/to/unix/socket</literal>,
+
<literal>host.name:port</literal>,
+
<literal>[ip.v4.ad.dr]:port</literal> or
+
<literal>[ipv6::addr]:port</literal> - note that
+
hostnames are resolved when spiped is launched and are
+
not re-resolved later; thus if DNS entries change
+
spiped will continue to connect to the expired
+
description = "Address to which spiped should connect.";
+
Name of a file containing the spiped key. As the
+
daemon runs as the <literal>spiped</literal> user, the
+
key file must be somewhere owned by that user. By
+
default, we recommend putting the keys for any spipe
+
services in <literal>/var/lib/spiped</literal>.
+
Timeout, in seconds, after which an attempt to connect to
+
the target or a protocol handshake will be aborted (and the
+
connection dropped) if not completed
+
Limit on the number of simultaneous connections allowed.
+
waitForDNS = mkOption {
+
Wait for DNS. Normally when <literal>spiped</literal> is
+
launched it resolves addresses and binds to its source
+
socket before the parent process returns; with this option
+
it will daemonize first and retry failed DNS lookups until
+
they succeed. This allows <literal>spiped</literal> to
+
launch even if DNS isn't set up yet, but at the expense of
+
losing the guarantee that once <literal>spiped</literal> has
+
finished launching it will be ready to create pipes.
+
disableKeepalives = mkOption {
+
description = "Disable transport layer keep-alives.";
+
weakHandshake = mkOption {
+
Use fast/weak handshaking: This reduces the CPU time spent
+
in the initial connection setup, at the expense of losing
+
perfect forward secrecy.
+
resolveRefresh = mkOption {
+
Resolution refresh time for the target socket, in seconds.
+
disableReresolution = mkOption {
+
description = "Disable target address re-resolution.";
+
example = literalExample ''
+
{ keyfile = "/var/lib/spiped/pipe1.key";
+
source = "localhost:6000";
+
target = "endpoint.example.com:7000";
+
{ keyfile = "/var/lib/spiped/pipe2.key";
+
source = "0.0.0.0:7000";
+
target = "localhost:3000";
+
Configuration for a secure pipe daemon. The daemon can be
+
started, stopped, or examined using
+
<literal>systemctl</literal>, under the name
+
<literal>spiped@foo</literal>.
+
config = mkIf cfg.enable {
assertions = mapAttrsToList (name: c: {
assertion = (c.encrypt -> !c.decrypt) || (c.decrypt -> c.encrypt);
message = "A pipe must either encrypt or decrypt";
users.extraGroups.spiped.gid = config.ids.gids.spiped;
users.extraUsers.spiped = {
···
script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`";
+
system.activationScripts.spiped = optionalString (cfg.config != {})
"mkdir -p /var/lib/spiped";
# Setup spiped config files
···
(if cfg.disableReresolution then "-R"
else "-r ${toString cfg.resolveRefresh}")
pyrox.dev